Nice stats, Andrew!
And Pete, thanks for spending so much time and effort to make it work so
well, despite us beating on you because it doesn’t catch every spam campaign
from the very first message! Sniffer has always been our number one tool in
this battle.

Darin.
From: Colbeck, Andrew
Sent: Thursday, March 28, 2013 7:50 PM
To: Message Sniffer Community
Subject: [sniffer] How fast is *my* MessageSniffer? (was: IP Change on
rulebase delivery system)
Answer: pretty darn fast for a system that I think is slow anyway
I think my MTA is a busy system, and I know that it’s not MessageSniffer
that keeps the server busy. A glance with Task Manager or Process Explorer
shows very little CPU time is spent by MessageSniffer.
I threw some grepping etc and then Excel at the xml file for one average
business day and came up with…
25% of messages are scanned within 100ms
50% of messages are scanned within 140ms
99% of messages are scanned within 330ms
I also looked at the “setup time”. I’ll spare you the graph; my results are:
80% of messages are loaded so quickly that the time is recorded as zero ms
85% of messages are loaded in 15ms or fewer
95% of messages are loaded in 30ms or fewer
99% of messages are loaded 125ms or fewer
Actually, everything above 98% of my volume takes longer to load but for
ridiculously smaller volume of messages. A spot check shows that those are
indeed rodents messages of unusual size.
Thanks for the nudge, Pete. I knew MessageSniffer was fast, I just hadn’t
bothered to quantify it before.
Andrew.
-----Original Message-----
From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf
Of Pete McNeil
Sent: Wednesday, March 27, 2013 2:43 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system
On 2013-03-27 17:16, Richard Stupek wrote:
> The spikes aren't as prolonged at the present.
Interesting. A short spike like that might be expected if the message was
longer than usual, but on average SNF should be very light-weight.
One thing you can check is the performance data in your logs. That will show
how much time in cpu milleseconds it is taking for each scan and how long
the scans are in bytes. This might shed some light.
http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp
Look for something like <p s='10' t='8' l='3294' d='84'/> in each scan.
>From the documentation:
> <s><p/></s> - Scan Performance Monitoring (performance='yes') p:s =
> Setup time in milliseconds p:t = Scan time in milliseconds p:l = Scan
> length in bytes p:d = Scan depth (peak evaluator count)
>
Best,
_M
--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>